how to mysql_real_escape_string SQL Query?

Question

theres single quotes using in

$bio = "$user->description";

inserting DB like this;

<?
$sql = "insert into yyy (id, twitterid, twitterkullanici, tweetsayisi, takipettigi, takipeden, nerden, bio, profilresmi, ismi) values ('', '$id', '$twk', '$tws', '$tkpettigi', '$tkpeden', '$nerden', '$bio', '$img', '$isim')";

$ak = mysql_query("select * from yyy where twitterid = '$id'");
if (mysql_num_rows($ak) == 0) {
    $sonuc = mysql_query($sql) or die(mysql_error());
    echo "ciciş listesine eklendin :)"; 
}
elseif (mysql_num_rows($ak) == 1) {
    $sonuc = "zaten ciciş olarak eklenmişsin. ikinci kere eklemeye ne gerek var :)";
}

?>

how can i mysql_real_escape_string the $bio correctly?

John Conde · Accepted Answer · 2010-02-04 15:50:58Z

2

Make sure you establish a connection to your MySQL database first.

$sql = "insert into yyy (id, twitterid, twitterkullanici, tweetsayisi, takipettigi, takipeden, nerden, bio, profilresmi, ismi) values ('', '$id', '$twk', '$tws', '$tkpettigi', '$tkpeden', '$nerden', '" . mysql_real_escape_string($bio) . "', '$img', '$isim')";

FYI, this could have easily been found with a Google search or using the PHP documention.

Also, you should use this for any strings and/or user submitted data. Not just select fields.

answered Feb 4, 2010 at 15:50

John Conde

220k100 gold badges464 silver badges504 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Arkh · Accepted Answer · 2010-02-04 15:54:18Z

2

You don't. Start using parameterized queries with mysqli or better, PDO

Example from the php doc with PDO :

<?php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>

answered Feb 4, 2010 at 15:54

Arkh

8,44043 silver badges47 bronze badges

2 Comments

Flavius Over a year ago

Why do you -1 such a beautiful advice? Idiots. +1 from me dude.

Arkh Over a year ago

Thanks Flavius. But I guess my tone is a little rude. I just hope the mysql extension is dropped in PhP 6.

Collectives™ on Stack Overflow

how to mysql_real_escape_string SQL Query?

2 Answers 2

Comments

2 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

2 Comments

Your Answer

Sign up or log in

Post as a guest

Related